Researcher Reveals: All iOS Devices Allow Access to All Data Through Hidden Services

JONATHAN ZDZIARSKI presented how all iOS devices are running Apple created, undocumented, hidden services, that allow access to all data on your device, even encrypted data. His slides are available here. Below I have summarized some of the more interesting parts and tried to put them in less technical terms.

Highlights

Apple has worked hard to make iOS devices reasonably secure against typical attackers

Apple has worked hard to ensure that Apple can access data on end-user devices on behalf of law enforcement

Almost all native application / OS data is encrypted with a key

As of iOS 7, third party documents are encrypted, but Library and Caches folders are usually not

Once the device is first unlocked after reboot, most of the encrypted data can be accessed until the device is shut down

The undocumented services running on every iOS device help make this possible

Your device is almost always at risk of spilling all data, since it’s almost always authenticated, even while locked

Undocumented Services Overview

Accessed through lockdownd, requiring pairing authentication

iOS 7 trust dialog helps, but third party accessories are making people stupid again

Bypasses “Backup Encryption” mechanism provided to users

Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target

If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)

com.apple.mobile.installation_proxy Given an enterprise certificate, can use this to load custom software onto the device (which can run invisibly and in the background)

com.apple.syslog_relay Syslog, provides a lot of details about what the device is doing, and often leaks user credentials from 3rd party apps via NSLog()

Already documented and fairly public method of using these undocumented services

DROPOUTJEEP – a software implant for iPhones that allows for the ability to remotely copy or place files on a device, retrieve text messages, contacts, voicemail, location information, turn on mic, camera, cell tower location. Requires “close access” for implant, which means they don’t need to physically touch the device bluetooth or WiFi might be ‘close enough’. Data extraction is done over GPRS (cellular essentially) or through text messaging. Ironically all communication with the implant is “covert and encrypted”.

If you want to prevent some of these attack surfaces there is a simple and free solution from Apple called Apple Configurator that will allow you to prevent it from pairing with other devices.